What does the NIS2 Implementation Act mean for companies? In today’s digital era, companies are increasingly affected by complex cyber threats. To meet these challenges and protect the digital infrastructure, the European Union has adopted the NIS2 (Network and Information Security) Directive. This new directive is intended to strengthen cyber security in Europe and sets extended requirements for companies.

In this blog post, we explain the key measures that companies should take in accordance with the NIS2 Implementation Act.

 

1. current status of the proceedings

Directives must always be transposed into national law. The European Union has set a deadline of 17.10.2024 for this in the directive. The legislative process for the NIS-2 Implementation and Cyber Security Strengthening Act (NIS2UmsuCG) is currently still ongoing. It is currently not possible to estimate whether this will be completed in time and what impact this would have on affected companies if not.

Part of the NIS2UmsuCG is the BSI Act (BSIG). Section 28 of this defines the companies and organizations concerned as particularly important institutions. Sectors of particularly important institutions are described in Annexes 1 and 2 of the BSIG.

 

2. Extended scope of application

Compared to the previous NIS Directive, NIS2 has an extended scope. More sectors and companies, including medium-sized and smaller companies in critical sectors, are now obliged to comply with the new security requirements.

Companies should first check whether they fall under the extended scope of application (i.e. whether they are one of the affected institutions) and adapt their IT security management accordingly.

3. Risk management measures (§ 30)

Affected institutions are obliged to implement technical and organizational measures that ensure availability, integrity and confidentiality in order to avoid disruptions or reduce their impact.

The measures should be preceded by a risk assessment and should correspond to the state of the art. We are familiar with a similar approach from data protection:

  • Risk assessment: Perform risk analysis and define IT security requirements
  • Coping with attacks: Measures for damage minimization, damage assessment and damage management
  • Emergency operation, backup management, creation of emergency and restart plans.
  • Encryption: Use of encryption technologies to protect sensitive information during transmission and storage.
  • Security updates: Regular updates and patch management to close security gaps and keep systems up to date.

4. Reporting of security incidents

One of the most important requirements of the NIS2 directive is the mandatory reporting of security incidents. Companies must ensure that they have mechanisms in place to:

  • Detect and assess security incidents: Establish a system for detecting and assessing security incidents, including determining the severity.
  • Reporting to the competent authorities: Establishment of a process for rapid and effective reporting of security incidents to the competent national authorities within a prescribed period.

5. Training and sensitization

Employees are often the weakest link in the security chain. Companies should offer regular training and awareness programs to increase security awareness and inform employees about current threats and best practices. This includes:

  • Phishing simulations: Running phishing simulations to test and improve staff responsiveness.
  • Cybersecurity training: Regular training on various aspects of cybersecurity, including threat detection and the secure use of IT systems.

6. Cooperation and exchange of information

The NIS2 Directive emphasizes the importance of cooperation and the exchange of information between companies and authorities. Companies should:

  • Partnerships and cooperation: Build partnerships with other companies and security organizations to share threat intelligence and learn from each other.
  • Participation in information exchange platforms: Participation in national and international information exchange platforms to benefit from current threat information and share own findings.

Conclusion

The NIS2 Implementation Act places higher demands on companies, but at the same time offers the opportunity to strengthen their own cyber security strategy and become more resilient to threats. By implementing these measures, companies can not only ensure their compliance, but also protect their digital infrastructure and business operations in the long term. It is crucial that companies are proactive and take the necessary steps to meet NIS2 requirements.

Stay up to date with the latest developments and ensure that your company is well equipped to meet the challenges of the digital future.

Time is pressing, the deadline for the introduction of NIS2 as applicable law is October 24, 2024. Should this actually happen, all affected companies will have to be NIS2 compliant. ADVASO helps you to meet the legal requirements.

Interesting external links on the topic:

Information from the BMI on the draft law

NIS2 draft law as PDF (BMI from 22.07.2024)

Please also read our blog:

NIS2: Cybersecurity standards for companies

Autor

  • Stefan Kröger ist zertifizierter Datenschutz- und Datensicherheitsexperte. Er verfügt über langjährige Projekterfahrung in den Bereichen Datenqualität, Datenschutz, Datensicherheit, Compliance und gesetzliche Rahmenbedingungen und Richtlinien. Stefan ist Geschäftsführer der Audit NRW GmbH und langjähriger Partner der ADVASO GmbH.

    View all posts